UNABLE TO SIGN IN TO GRANT ADMIN CONSENT FOR P2S VPN

Ananay Ojha 91 Reputation points
2022-03-08T09:40:17.4+00:00

Hi,
I visit the below URL to give admin consent so that my Point to site users can be authenticated using azure active directory -- https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

but unfortunately I am getting the following error --

Request Id: 5617774a-a381-44ca-b1be-a9e1429b4f00
Correlation Id: 2a1c2bf8-e159-4890-a470-450a27a695a5
Timestamp: 2022-03-08T09:26:44Z
Message: AADSTS50020: User account 'ananayojha@Stuff .com' from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application '41b23e61-6c1e-4545-b367-cd054e0ed4b4'(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Please help me resolve this.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,408 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,881 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,016 Reputation points Microsoft Employee
    2022-03-09T09:57:54.21+00:00

    Hello @Ojha18a-0713 ,

    I understand that you are trying to setup Azure point to site VPN with Azure Active Directory authentication and were trying to give admin consent to your Point to site users to be authenticated using Azure AD by visiting following URL : https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent , but receiving the "AADSTS50020" error.

    As per our official doc, you need to sign in to the Azure portal as a user that is assigned the Global administrator role. If you are using a global admin account that is not native to the Azure AD tenant to provide consent, please replace “common” with the Azure AD directory id in the URL (https://login.microsoftonline.com/**common**/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent). You may also have to replace “common” with your directory id in certain other cases as well.

    The Directory ID of the directory that you want to use for authentication is listed in the properties section of the Active Directory page.
    Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication

    NOTE :

    • Native member to Azure AD tenant is a member user or Azure AD member whose account is created via Azure AD > Users > Create user option in the tenant.
    • A user not native to the Azure AD tenant means a user who is brought over from another directory as a business-to-business (B2B) collaboration guest (guest user).

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Mantas Kukenys 21 Reputation points
    2022-12-21T09:19:15.667+00:00

    Hello
    I am having same issue, unable to add app registration to AAD tenant
    I am sure I am using Global Administrator account.
    Also I have tried to replace /common/ part with tenant ID

    here is error I am receiving:

    AADSTS650054:+The+application+'api://41b23e61-6c1e-4545-b367-cd054e0ed4b4/api'+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.
    Trace+ID:+9d84907a-9531-4352-826a-dcf72f94bf00
    Correlation+ID:+7b360593-4c8a-4a44-af8b-842ed42149ed
    Timestamp:+2022-12-21+09:15:15Z

    1 person found this answer helpful.